How to fix the Splunk enterprise bundle validation...

Vaidesh · ‎10-29-2022

Recently i upgraded our splunk enterprise version from 9.0.0 to 9.0.1 in all our master , search head & indexer nodes. The order we updated is indexer - search head - master.

Once the upgrade was successfully done we weren't able to bring up the splunk cluster in which indexer node is keep on failing with the below mentioned error:

10-27-2022 23:02:27.083 +0000 ERROR CMSlave [91467 MainThread] - event=getActiveBundle failed with err="invalid active_bundle_id=.  Check the cluster manager for bundle validation/errors or other issues." even after multiple attempts, Exiting..
10-27-2022 23:02:27.106 +0000 ERROR loader [91467 MainThread] - Failed to download bundle from the cluster manager, err="invalid active_bundle_id=.  Check the cluster manager for bundle validation/errors or other issues.", Won't start splunkd.

There are no errors in master & search head node's logs. Please help me to fix this bundle validation error.

isoutamo · ‎10-30-2022

Hi

unfortunately you have had wrong update order and quite probably that has generated this issue. The correct order MN, SH and latest indexers. To avoid more issues you should contact to splunk support if they have information how to fix this with more issues.

r. Ismo

How to fix the Splunk enterprise bundle validation error in indexer nodes?

using Splunk Enterprise

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?